Technical Article iRules Update: New options for the "log" command April 08, 2008 by Deb Allen 962 article application delivery big-ip dev devops irules news techtip 2 If you've written your first iRule, you've most likely used the log command to check your iRule logic or reflect the status of the connections running through it. Recent updates to the log command make it even more useful by providing direct support within iRules for selective remote syslogging. Remote Log Server Support In LTM 9.4.0, the log command was enhanced to provide the ability to send messages to a remote server. You can also optionally specify the remote port if you want messages to be sent to other than the default remote syslog port (514). If you specify a remote log server address, you must at least also specify the log facility. This discretionary remote log server support is extremely useful if you want specific iRule activity logged to a remote location, but still want to retain your existing global syslog-ng configuration. Rule Name Suppression By default, every BIG-IP log message looks something like the sample below: Apr 8 04:20:42 tmm tmm: 01220002:6: Rule : Log me, baby The “-noname” option was added in LTM 9.4.2 to allow suppression of any "Rule : <rulename> <event>" string that may be prefixed to the message by LTM. Its intended use was for remote logging, but it works locally as well. If you include the "-noname" option, you must at least also specify the log facility. Examples Here is the recommended basic log command syntax for local logging to the default log level (specifying the facility ensures all activities will be logged as unique events. local0 is the default facility for LTM logging): log local0. "Log me one time" The resulting output looks like this: Apr 8 04:20:42 tmm tmm: Rule : Log me one time This example uses the "-noname" option to log locally while suppressing the "iRule :" string prefixing the message text. log -noname local0. "I could not speak" with this result: Apr 8 04:20:42 tmm tmm: I could not speak Use this syntax to specify a remote syslog server on the default port, facility & level: log 192.168.0.1 local0. "Log me 2x, girl" The message with the "Rule : " prefix will be sent to the remote server: Rule : Log me 2x, girl This syntax will log to the syslog service at 192.168.1.11 on port 5514, suppressing the "Rule : " prefix: log -noname 192.168.0.1:5514 local0. "Log me all thru the week" The message, this time without the "Rule : " prefix, will be sent to the remote server on the specified port: Log me all thru the week You can still specify the log level in addition to the facility as in previous versions: log 192.168.0.1:514 local0.warning "Log me 2x" and the message format remains unchanged (may be filtered differently though): Rule : Log me 2x And finally you can combine all 3 to send messages to a remote server on an alternate port, specifying a new log facility and level, and suppressing the iRule name output: log -noname 192.168.0.1:5514 local3.warning "I'm goin' away" This message will be sent to 192.168.0.1:5514 on local3.warning: I'm goin' away More on logging with iRules… Full details of the “log” command can be found in the iRules wiki: https://devcentral.f5.com/wiki/default.aspx/iRules/log.html Joe’s iRule Debugging article: iRules 101 #09 - Debugging Need more extensive or global syslog configuration changes in LTM 9.4.2 & above? Check this: LTM 9.4.2+: Custom Syslog Configuration Get the Flash Player to see this player. last modified: December 08, 2012 11 Comment(s): 0 Will this work on gtm v10.2. 0 Hello i've tried with the -noname option but still displays tmm;this is what i used for command :log -noname x.x.x.x local0. "test"displays :tmm[x] testany advices? thanks 0 Looks great, can you provide the syntax for "-pool syslog_server_pool"I currently only have one syslog server 0 You can now by using the HSL::open/HSL::send commands. Check them out in the wiki:http://devcentral.f5.com/wiki/default.aspx/iRules.HSL 0 Any reason for no TCP? UDP has problems under heavy loads 0 no, just UDP 0 Is it possible to do TCP syslogging directly from the iRule to a remote system?Thanks. 0 Here's some relevant info I discovered after the article was published:1. The remote syslog server specified with the iRules log command must be TMM routable, meaning that it must not be routable via the management port.2. You can increase the remote logging message max size to 64K:http://devcentral.f5.com/weblogs/deb/archive/2008/04/23/3189.aspx/deb 0 A possible workaround:If you wanted to log the hostname of the BIG-IP, you could define a class with the hostname of the BIG-IP and then add an entry to the log statement for $::hostname_class. The class source would be an external file. See this post for details:http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&tpage=1&view=topic&postid=9735#9805Aaron 0 I'm not aware of any way to modify the LTM default log headers. (The "-noname" option just suppresses the identification string that LTM automatically prefixes to the actual log message.) 0 Speaking of logging, how would you turn this:Apr 8 04:20:42 tmm tmm: 01220002:6: Rule : Log me, babyInto this:Apr 8 04:20:42 [b]hostnamehere[/b] tmm tmm: 01220002:6: Rule : Log me, baby You must be logged in to post comments.